Question about securing accounts in a domain
Hi All,
This has come up a couple of times and wanted to get different inputs to the following scenario:
Setting up a "guest" account that is able to roam around a domain network and login to all workstations. A proxy server could be put in place for internet filtering. The account needs to be locked down for security purposes and only have access to the internet (no other access to the network).
The network in the scenario is running Microsoft OS Server 2008 R2.
Is there a way this has been safely implemented in the past?
Regards,
The Sharp
This has come up a couple of times and wanted to get different inputs to the following scenario:
Setting up a "guest" account that is able to roam around a domain network and login to all workstations. A proxy server could be put in place for internet filtering. The account needs to be locked down for security purposes and only have access to the internet (no other access to the network).
The network in the scenario is running Microsoft OS Server 2008 R2.
Is there a way this has been safely implemented in the past?
Regards,
The Sharp
Comments
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□Yes it has, it's called disabling the guest account. From my experience having worked in different companies we always disabled the guest account. Every employee should have a unique account that is tied to an individual. Guest accounts will not allow you to track, log or audit thw activity of users since you will not be able to tell with certainty who performed an action. In the Infosec world it's called "non repudiation", a user cannot deny that they performed a certain action. So basically having a guest account is not a good idea.
-
636-555-3226 Member Posts: 975 ■■■■■□□□□□I love this question. Give me a generic account that can log into all workstations and I'll pwn your network in a short while. Things like this are a hacker's dream.
To ask the generic question - what problem are you trying to solve? There's a better way to do whatever you're trying to do. -
blargoe Member Posts: 4,174 ■■■■■■■■■□Yes, we need more context here.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
cyberguypr Mod Posts: 6,928 ModWhat is the purpose of this? I'm assuming everyone internally has their own set of credentials so is the goal to give this account to visitors or something? Let's hear the context before I go off on a rant on what a horrible idea this is.
-
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□I take it the account needs the ability to use CD/DVD and USB ports?
Physical access is just the start of issues in the situation stated it sounds like... -
PJ_Sneakers Member Posts: 884 ■■■■■■□□□□What would be the reason to do this? I can't think of a reason to do this that doesn't boil down to laziness.
-
kiki162 Member Posts: 635 ■■■■■□□□□□Don't EVER touch the Guest account!!!!
Instead make a specific domain account that is a member of a separate group. Define what needs to be "locked down" within the network. To test the account, you can make a separate OU and block inheritance. Place a separate GP in that OU, and test away.
If you want to define what needs to be locked down and need help on how to do that, feel free to post here. -
ITSpectre Member Posts: 1,040 ■■■■□□□□□□Guest account = Disaster waiting to happen. Nothing is worse then giving a end user the ability to "free roam" on a Network. Leave the guest account alone. Create a normal user account for said user and leave it at that... if they need specific permissions then they have to have a reason to have them. Some users think they should have admin rights so they can install programs.... but there is a reason why users don't have admin rights.
If you want an account to be locked down for network access only... just create a user account in ADUC and there you go. set the permissions and your done...
Enable the guest account at your own risk!!!In the darkest hour, there is always a way out - Eve ME3 :cool:
“The measure of an individual can be difficult to discern by actions alone.” – Thane Krios -
markulous Member Posts: 2,394 ■■■■■■■■□□What is the exact purpose of this? I.e. what is the problem that you are trying to fix? I don't think this is the solution either way.